GitHub and Application Security
Github is the largest code hosting collaboration platform for software engineers, programmers, and developers to build code. With version control and a focus on file content, GitHub makes it easy for developers to rename, split, and reorganize project files without restrictions. They can simply keep adding new files to the repository, and revisit a particular version of the project code almost immediately.
The main reasons developers LOVE GitHub:
- Streamlines the development process
- Allows for easier collaboration
- Enables external parties to see these changes and contribute to the code
- Version control – allowing for monitoring of the latest revisions
Fundamentals of GitHub
Before we dive into the benefits of GitHub it is important for AppSec teams to be aware of the terms that they might run into, so let’s start with some key glossary terms:
Repository – A repository (or “repo” for short) is the most basic element of GitHub, containing all of the project files (including documentation), and stores each file’s revision history.
Dependency graph – A repository graph that shows the packages and projects that the repository depends on.
Branches – Branches allow you to develop features, fix bugs, or safely experiment with new ideas in a contained area of your repository. You always create a branch from an existing branch. Typically, you might create a new branch from the default branch of your repository.
Forking – This is one of the features that developers love about GitHub, Forking is when you create a new project based on one that already exists. It is a copy of a repo that sits in your account rather than the account from which you forked the data from, allowing you to edit the contents of your forked repository without impacting the parent repo.
Pull Requests – Pull requests (PRs) notify others about changes you’ve pushed to a branch in a repo. Once a PR is opened, you can discuss and review potential changes with collaborators and add follow-up commits before your changes are merged into the base branch.
Merging – After a pull request, the changes you have made to your repository should be merged to the original repo. There are three ways to merge repos, depending on the merge options enabled for you. You can: merge all of the commits into the base branch; squash the commits into one commit; rebase the commits individually onto the base branch. Detailed information about this can be found on GitHub official documentation.
Changelogs – The nature of GitHub is such that it allows many people to work on the same project, contribute and change it. In order for everyone involved to stay on the same page regarding everything that happens to the repository, the platform enables changelog, keeping track of all changes.
Code Owner – A person who is designated as an owner of a portion of a repository’s code. The code owner is automatically requested for review when someone opens a pull request (not in draft mode) that makes changes to code the code owner owns.
CODEOWNERS file – You can use a CODEOWNERS file to define individuals or teams that are responsible for code in a repository.
Teams – Teams are groups of organization members that reflect your company or group’s structure with cascading access permissions and mentions.
GitHub Actions – GitHub Actions makes it easy to automate all your software workflows, now with world-class CI/CD. Build, test, and deploy your code right from GitHub. Make code reviews, branch management, and issue triaging work the way you want.
Benefits of Using GitHub
Now that we have covered some of the main terms that AppSec teams will run into, let’s chat about the benefits of GitHub from a developer perspective so we can understand them a bit more.
Ease of Use & Collaboration
One of the things about the platform that attracts so many developers to GitHub, is that it allows them to easily exchange code, review each other’s project, and manage software code in real time. Additionally, teams can leverage GitHub’s native issue tracking, real-time analytics, feature requests, commenting and notes, feedback management, and more to enable collaboration.
Cloning and Time-Saved
Traditionally, developers had to interact with the main server while working on their own project or when contributing to someone else’s. With GitHub developers have the ability to clone a GIT Project through the command-line tool so developers have access to the entire history and changelog. This saves time and allows for less disruption during development.
Version control allows developers to track changes made to their code and allows them to easily see who made it, while simultaneously keeping and providing a full version history. This is something extremely useful in terms of collaboration.
GitHub Actions and CI/CD Pipelines
Another reason why devs use GitHub is because of its powerful Actions capability which makes it really simple to automate software workflows. Additionally, users can easily set up a CI/CD so once they commit changes, Github Actions can easily automate the tasks of building, testing and deploying the code right from within Github..
Common AppSec Challenges with Using GitHub
Scaling AppSec at the speed of DevOps has been a challenge for most organizations. Modern source control systems like GitHub have enabled developers to go from code-to-cloud in a matter of hours, changing the dynamic between developers and AppSec teams. The ability to build and deploy code with a self-service foundation leaves AppSec teams with no visibility and control, leaving the questions of who created code, where that code resides, and the context around why.
With the scale in which developers create new code repos, AppSec teams cannot keep up with what is being added to the asset inventory. Which means, AppSec teams have no visibility into what is being created, who is responsible for that code, and traditional AppSec tools impede this fast paced modern software development lifecycle (SDLC).
The biggest question from most AppSec teams is, who the heck owns this code? Often, AppSec teams spend hours/days tracking down which developer owns or can help remediate a vulnerability because there is not appropriate ownership data.
Software dependencies allow developers to more quickly deliver software by building on previous work, making software dependencies a key ingredient of modern applications. But, the challenge for AppSec teams is how do you influence developers to understand the security risks that are being introduced in dependencies and how do you manage that risk.
Lack of Security Control & Influence
AppSec teams today are left on the sidelines as developers deploy code. Without any visibility or any way to influence developer behavior, there is no way for AppSec teams to drive adoption and enforce the use of secure defaults or security controls to prevent risk from being introduced in SDLC.
Additionally, security teams should always make sure that GitHub is configured correctly, but that is a whole different topic altogether.
How Tromzo Enables Visibility and Control within GitHub
GitHub has helped increase the speed of DevOps, but there is little to no visibility and control for security teams. This is where Tromzo can help organizations with a unified developer-first application security management platform to enable:
- Centralized Visibility – centralizes all software assets from dependencies and SBOMs to cloud services in one easily digestible UI, associates true ownership, and prioritizes them based on risk. This empowers AppSec teams with the foundational context needed to truly improve security risk posture.
- Security Guardrails – influences developer behavior by using pre-built and customizable security policies, defined by security teams and applied within developer workflows across Github. Enabling developers to go from code-to-cloud, securely.
- Workflow Automation – eliminates manual processes around implementing and managing security controls in Github with Tromzo’s no-code security automation. Automation is the only way to scale AppSec at the speed of DevOps.
- Reporting & Analytics – provides critical analytics via the insights from out-of-the-box and customizable dashboards for security accountability across engineering.
Additionally, in this series of how Tromzo can help with visibility and control within GitHub, we will be covering:
- GitHub Dependabot
- GitHub CodeQL, and
- GitHub Secret Scanner